[Samba] BDC Rejecting auth request from client + Windows 7
David Noriega
tsk133 at my.utsa.edu
Mon Feb 11 09:52:48 MST 2013
We are at a university and have no control over the network, thus I made
the BDC use a dynamic ip so its on the same subnet as the clients.
The PDC is running Samba v 3.5.10-125(Centos 6.3) and the BDC is
3.5.19-44(Centos 5.8)
Both servers use the same LDAP server.
pdbedit does show the same accounts on both servers.
Here is my smb.conf for the PDC:
[global]
workgroup = XXXX
netbios name = XXXX
server string = PDC %v
encrypt passwords = yes
#enable privileges = yes
passdb backend = ldapsam:ldap://x.x.x.x
ldapsam:trusted = yes
domain master = yes
preferred master = yes
local master = yes
os level = 255
dns proxy = yes
wins support = yes
name resolve order = host wins lmhosts bcast
domain logons = yes
client ntlmv2 auth = yes
loglevel = 3
log file = /var/log/samba/log.%m
syslog = 0
time server = yes
ldap suffix = dc=x,dc=x,dc=x
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=machines
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
logon path = \\%L\profiles\%U
logon script = netlogon.bat
time server = Yes
deadtime = 10
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
printcap name = /etc/printcap
load printers = no
interfaces = eth0
bind interfaces only = yes
And for the BDC:
[global]
workgroup = XXXX
netbios name = BDC
server string = BDC %v
encrypt passwords = yes
enable privileges = yes
passdb backend = ldapsam:ldap://pavlov.cbi.utsa.edu
ldapsam:trusted = yes
domain master = no
client ntlmv2 auth = yes
local master = yes
preferred master = yes
os level = 50
dns proxy = no
wins server = x.x.x.x
domain logons = yes
loglevel = 3
log file = /var/log/samba/log.%m
syslog = 0
time server = yes
ldap suffix = dc=x,dc=x,dc=x
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=machines
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
logon path = ""
logon script = netlogon.bat
remote announce = x.x.x.x/XXXX
remote browse sync = x.x.x.x
printcap name = /etc/printcap
load printers = no
interfaces = eth2
bind interfaces only = yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w %u
On Fri, Feb 8, 2013 at 2:34 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:
> I don't quite understand- why does the BDC have a dynamic IP address. Or
> have a I misunderstood? The DHCP server can provide the IP of the WINS
> servers to DHCP clients. Are the XP and Win 7 workstations on a separate
> subnet than the servers?
>
> What version are the samba servers? Do both samba server point to a
> single LDAP server or do they each have their own LDAP server in
> replication? Does "pdbedit -Lv" show the same accounts on each DC?
> Is it possible that the Windows 7 machine accounts have not replicated to
> the BDC?
>
> Have to specificied the ports in the smb.conf file- by default samba uses
> ports 137,138, and 445. In theory you can disable port 445 (it reduces
> some
> the transport warnings) but I find that causes problems with name
> resolution
> when a router or vpn is involved. So better off just sticking with the
> defaults.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of David Noriega
> Sent: Friday, February 08, 2013 1:56 PM
> To: samba at lists.samba.org
> Subject: [Samba] BDC Rejecting auth request from client + Windows 7
>
> Just some background: In our environment, we are running both a PDC and
> BDC.
> The local network setup has static ips on a different subnet from dhcp ips,
> thus the PDC has a static ip and the BDC has a dynamic one so the Windows
> machines are able to see the domain without hardcoding in the ip of the PDC
> as a wins on each machine. This has worked fine for Windows XP. We are also
> using ldap as the backend.
>
> Now we have a Windows 7 box and I have followed various instructions and
> modified entries within the registry as everyone else has specified. While
> I
> can join the domain, after reboot I get the trust relationship failed
> error(or on a rare occasion it will say no logon servers available).
> Checking the logs I have mapped out the following:
>
> 1. Win7 client asks to join the domain
> 2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine
> account 4. BDC rejects auth request 5. Win7 logs this, but still shows
> successful join message and reboots 6. Win7 then refused to login on the
> domain. I can type in gibberish and still get the trust relationship failed
> message.
>
> Here is the following from the BDC:
>
> [2013/02/08 13:11:05.458750, 2] lib/smbldap.c:950(smbldap_open_connection)
> smbldap_open_connection: connection opened
> [2013/02/08 13:11:05.504483, 2]
> ../libcli/auth/credentials.c:307(netlogon_creds
> _server_check_internal)
> credentials check failed
> [2013/02/08 13:11:05.504529, 0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
> enticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client CLASSROOM machine account CLASSROOM$
> [2013/02/08 13:11:05.524195, 2]
> ../libcli/auth/credentials.c:307(netlogon_creds
> _server_check_internal)
> credentials check failed
> [2013/02/08 13:11:05.524235, 0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
> enticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client CLASSROOM machine account CLASSROOM$
> [2013/02/08 13:11:15.914207, 0] lib/util_sock.c:474(read_fd_with_timeout)
> [2013/02/08 13:11:15.914316, 0]
> lib/util_sock.c:1441(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list